Information Security

Initiatives to Protect Personal Information

The Nisshinbo Group recognizes that one of our key corporate responsibilities is to ensure that all important information related to stakeholders is protected and managed appropriately. In order to fulfill this responsibility, the Group handles personal information in accordance with our Privacy Policy. In addition, internal audits are conducted to confirm that company regulations are functioning properly, and steps are taken to prevent information leaks and realize ongoing improvements.

At the same time, to ensure every one of its employees maintains awareness of personal information protection, the Nisshinbo Group conducts training when employees join the company and when they are promoted as well as training at each of our business sites based on its annual plan.

Initiatives to Ensure Information Security

The Nisshinbo Group is constantly reinforcing information security measures to prevent leaks of confidential information, including customers' personal information.

Initiatives to Ensure Information Security

As a countermeasure against cyberattacks, we monitor e-mails through a targeted e-mail attack prevention system and use anti-virus software and security patch programs widely on our IT equipment. We also employ information security management systems to monitor access to important data and limit access to information networks from unauthorized IT equipment. Through these measures, we work to prevent leaks of information from internal fraud and prevent external threats.

We have established Guidelines for Information Security as rules for Group companies to follow. To ensure compliance with these rules, we regularly conduct IT internal audits on our subsidiaries both in Japan and other countries, and work continuously to improve their status.

The rules for users of the information system are defined as part of the educational materials. Regular education sessions and e-learning are intended to raise the awareness of information security measures for users within the Group as a whole.

To raise cybersecurity awareness, the Group conducted targeted e-mail training for employees of domestic group companies. Education was provided to those who opened the training e-mail upon receiving the e-mail through content displayed at the time of opening. The company will continue to do so in the future.

From the standpoint of business continuity in the event of a large-scale disaster, we are in the process of migrating the business servers located in our in-house server room to external data centers.

In addition, we are developing an IT infrastructure for the safe use of telework in response to new normal lifestyles.

Digital Transformation (DX) Initiatives

The Nisshinbo Group will continue to accept the challenge of developing technological innovations, such as digital marketing, in response to the stricter implementation of the revised Personal Information Protection Law implemented in April 2022. For example, to strengthen information security and promote DX, we will introduce pseudonymous processing and encryption technologies, to process data in ways that cannot identify individuals.

Dissemination of telework due to the impact of the COVID-19 pandemic and digitization of business and services, as well as Working Style Reforms, are accelerating. Promoting DX has become one of the key strategies in management, but at the same time, it has become essential to take advanced levels of information security measures. Currently, the Nisshinbo Group is trying to shift the IT infrastructure from a conventional borderline security model to a zero-trust security model* with high security intensity, based on these social situations.

* A security model based on authentication and authorization for each access to resources and data that cannot be solved by the conventional perimeter type security architect model, and based on the idea that users, terminals, and areas are not unconditionally trusted.

Examples of the Nisshinbo Group Activities

Implementation of targeted mail aggression training

Nisshinbo Business Management (Shanghai) Co., Ltd. conducted a target mail attack training for Nisshinbo Group companies in China. Cyber damage, such as virus infections, has occurred in China from opening unquestionable emails, so the company planned to take into account the necessity of educating employees via training in Chinese.

After the company's group companies were checked for the possibility of participating in the training, 13 companies joined in the study with 311 participants as a result of summarizing the target seekers. Together with the contractor, the company made preparations, including reviewing the content of the training emails, and the content of the training was determined as the presence or absence of clicking the attached URL in the email.

As a result, the overall rate of opening attached files or connecting to the URL was about 7%, which is slightly higher than expected. The company reported the results of this training at the China Group company representative interaction meeting, where representatives from each company gathered, and shared the results of the interviews with local staff who opened the training.

In the future, the company will continue to work in cooperation with the Nisshinbo Group Information System security department to improve the level of information security in China.

ISO/IEC 27001 inspection

Japan Radio Co., Ltd., has been subjected to periodic and updated examinations by the Japanese Quality Assurance Organization (JQA), and 13 departments in fiscal year 2021 have received ISMS certification.

ISO/IEC 27001 is an international standard for information security management systems (ISMS). This certification will ensure the well-balanced management of the three aspects of information confidentiality, integrity, and availability for effective use of the information.

The company also received ISO/IEC 27001 certification in July 2011 with the primary goal of improving information security and building an external relationship of trust. The scope of certification is the information systems departments of the Solutions Segment. In the Solutions Segment, in particular, certification is a prerequisite for government auctions. To raise security awareness, the company will conduct annual ISMS internal audits and work on continuous improvement activities (PDCA).

ISO/IEC 27001 certificate
ISO/IEC 27001 certificate
ISO/IEC 27001 certificate
ISO/IEC 27001 certificate

ISMS Surveillance Review Receipt

The ISMS 10th Surveillance Review was conducted with nine departments in the head office of JRC Tokki Co., Ltd., along with three business sites between July 16 and 20, 2021.

ISMS has 114 control measures for particular risk-reduction purposes to be applied to ISMS in the organization. Although the company excluded the application of management measures for telework eomplyees, it adopted the telework system into its coverage since 2020 to fight new coronavirus infections and has newly established the system environment and regulations for IT.

During the surveillance review, the implementation of telework control measures in each department was audited.

On the other hand, for attacks and targeted email attacks aimed at telework environments, the company implemented maximum reminders, such as developing information from the police agency throughout the company.

Measures to prevent leakage of internal information

In order to prevent leaks of confidential information, the Korean Saeron Automotive Corporation (SAC) strives to block access by noncertified persons, as well as to prevent the leakage of internal information through network access control (NAC), centralization of document control, and information leakage measures (DLP) security programs.

Specifically, whenever an employee accesses the company's network, the person must install the NAC software and check that the person is an authenticator. Unification of document control means that all internal documents can be stored in the company's folders in a coded fashion and that access to the folders and the viewing of documents can be controlled according to the authority of individual users. These documents are accumulated as valuable company information for information sharing. DLP is responsible for controlling the removal of documents by e-mails and USB devices, and all documents must be approved by the authorities.

In addition to responding to periodic IT audits by the Nisshinbo Group, the company will also comply with the Nisshinbo Group's information security guidelines.

Information security education with individual guidance

PT. Standard Indonesia Industry provides annual information security education, and in 2021, IT personnel provided education to all persons in the form of individual guidance.

Until now, the methods of distribution of educational materials were in a group training. For this time, dual monitors were introduced to improve the efficiency of PC operations. In addition, the purpose of this program was to specifically educate participants in more efficient use. In addition, an individual guidance format was adopted.

The main content of the information security education is the method of managing files and how to respond to suspicious email, and the belief is that more careful education was provided by individual guidance and that the level of understanding of information security increased more than ever before. In the last few months, many reports have been received of the receipt of illegitimate emails with virus attachments, and because of the risks that occur on a daily basis, the company plans to continue regular education and timely reminders as countermeasures.

Individual information security education
Individual information security education